LSA Shell (Export Version) + can't use TrendMicro House Call

Status
Not open for further replies.
M

mohrng

Posts: 20   +0
hello, techspot gurus...

i've had a couple of strange problems lately - both today, in fact. at this point, i haven't noticed any performance issues, but i'd like to know what's going on in there...

first, i got an error message relating to "LSA Shell (Export Version)". after this error message, i was told i had 60 seconds before the computer would shut down - i was locked-in to this, with no visible way to abort the shutdown. this LSA Shell error has only occurred once (to my knowledge).

searches related to the LSA Shell problem led to alot of old (2004-06) threads mostly dicussing varieties of the Sasser virus. i downloaded and ran McAfee's Stinger and Symantec's standalone "Sasser Fix" - neither one found anything amiss. i ran SS+D, but it also found nothing. i searched a little more, found some more old info, and then tried TrendMicro's House Call: this is where it gets weird... i successfully ran House Call, but it somehow failed in the final moments. House call had already showed me a few problems - none seeming severe - which it intended to remove. after i clicked on the remove button, it froze up and the program became unresponsive. i tried House Call again and received this message upon attempting to begin the connection: "An error occurred while trying to transfer data from the Internet! Do you want Trend Micro House Call to try resending the required files?" then IE became unresponsive and the message window was frozen (whether i chose "Yes", "No", or tried to exit IE by clicking the X, i couldn't get out). i eventually just CTRL-ALT-DEL-eted my way out. and i've done the same three subsequent times... i can't get House Call to work. i re-read the "8 simple steps" and had to download some new stuff due to changes since the last time i was here.

i ran MalwareBytes and SuperAnti-Spyware. i'll post the MalwareBytes log, but the SAS search turned up nothing. also, here is my HJT log (made after I'd done all the other steps).

so... those are my onle two symptoms - LSA Shell (Export Version) crashing the system once, and inability to run HouseCall.

thanks for all you guys do.
 
Help with HijackThis log?

it seems that no one who is interested in helping has run across my previous post... is there something i should do to get noticed?
i'd really apprecaite if someone would look at my HijackThis log (attached to the previous post) and advise me about any changes i should make to my system.
thanks!
 
still can't run HouseCall

here are all of the logs, fresh off the presses.
all the scans were clean, including my Symantec anti-virus. i also ran a SS+D scan which turned up no spyware.

i still can't run TrendMicro HouseCall. just tried, and again i received the same error message (see my first post). IE became unresponsive, i used CTRL-ALT-DEL to shut it down.

thanks for any help anyone can offer.
 
OK I needed to be sure.

What do you mean SS+D?

Humor me here.

I want to be sure your Norton and AVG AntiSpyware are not interfering with the scans.

Download SD Fix to Desktop.

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

On Desktop run SDdFix It will run (install) then close.

Then reboot into Safe Mode

As the computer starts up, tap the F8 key several times.

On the Boot menu Choose Safe Mode.

Click thu all the prompts to get to desktop.

At Desktop
My Computer C: drive. Double-click to open.

Look for a folder called SD Fix. Double-click to enter SD Fix.

Double-click to RunThis.bat. Type Y to begin.

SD Fix does its job.

When prompted hit the enter key to restart the computer

Your computer will reboot.

On normal restart the Fixtool will run again and complete the removal process then say Finished,
Hit the Enter key to end the script and load your desktop icons.

Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
Attach the Report.txt file to your next post.

After posting the SDFix log

Download ComboFix

NOTE: If you have had ComboFix more than a few days old delete and re-download.

Get it here: https://www.techspot.com/downloads/5587-combofix.html
Or here: http://subs.geekstogo.com/ComboFix.exe

Reboot again to Safe mode and

Double click combofix.exe follow the prompts.

When finished, it will open a log.
Attach the log and a new HJT log in your next reply.

Note: Do not click combofix's window while its running. That may cause it to stall.

Mike
 
SD Fix report

here's the SD Fix report. i'll get right on the Combo Fix.
Question: i told windows not to make system restore points (because I read elsewhere that some malware use that feature to basically reattach themselves after anti-malware programs clean them up). is this wise? i'm planning on system restore back on after i get word from you that my computer is clean again.

also, when i've referred to "SD+D" i meant "Spybot-Search & Destroy"

thanks
 
problems

i'm having some issues with the ComboFix step.

i downloaded ComboFix from your link. i rebooted into safe mode, and tried to run ComboFix... but it told me i didn't have a current version. i tried the other link, but it appears to be the same version. i tried to run ComboFix anyway (despite it telling me it wasn't optimal because i was running an outdated version), but then ComboFix told me i had Symantec Auto-Protect running, which would mess with its operations. so i didn't run ComboFix.

i went into Symantec, and tried to turn off auto-protect. couldn't do it, it said it was locked by Admin. rebooted as Admin, tried to turn off auto-protect. still couldn't figure out how to disable it, but i did change it from "auto-protect on startup" to "auto protect when symantec is running." only problem is, Symantec is always running. i'm not sure how to make it stop. do i "unload" it?

another auto-protect type issue: i noticed in my free version of Ad-aware that under "AdWatch Live!", both "registry" and "network" are turned off, but "processes" is turned on. i noticed that processes claimed to have stopped a harmful process today. that process had a TAI of 10 - so now i'm worried about turning the "processes" part of "Ad-Watch Live!" off. what do you think? i've attached the Ad-Aware log about the process it blocked.

lastly - my clock is now displaying in military time. doesn't usually do that.

suggestions for what to do next?
 
That is a false positive from SDFix.

Delete the SDFix install from the desktop then browse and delete the c:\SDFix folder.

Did you ever have combofix before?

Start-Run
type
combofix /u
hit enter or click OK.

This uninstalls ComboFix.

Now redownload it.

Boot to Safe Mode run Taskmgr and end all AntiSpyware and Norton processes that you can.

Then run combofix.

I am tired done for the night. Will check in in the morning.

Good night!

Mike
 
alright, i'm back to work on this.
cleared out SDFix, uninstalled ComboFix, reinstalled ComboFix.
rebooted in Safe Mode. no error message about ComboFix being out-of-date: so that's good.

still got a message from ComboFix saying it detected that Symantec AntiVirus AutoProtect was running. ComboFix says it shouldn't run while AutoProtect is running, or something might explode. or something like that.

did Run - taskmgr
didn't look like AutoProtect or anything Norton was running.
here is a list of all of the processes which were running in Safe Mode. are any of these the ones i need to shut down?
(the following all end in ".exe")
ctfmon
wmiprvse
explorer
svchost
guard
svchost
svchost
lsass
services
winlogon
csrss
smss

(the two below don't end in ".exe")
System
System Idle Process

when i go into Symantec to try to disable the Auto-Protect, i can't. i find the proper menu, but the check box labeled "Enable Auto-Protect" is always checked. i can't uncheck it, even as admin, because it is light gray instead of black, and next to it it says "(Disabled)." which, means i am completely unable to turn it off, right? so... i don't know how to turn off Auto-Protect, also don't know how to shut down Symantec.

thus, i still haven't been able to run ComboFix. sorry - i'm probably missing something stupid. thanks again for your help. i'll be here at my house able to work on this until about 6 central time. if you're taking the weekend off, no worries.
 
OK here are 2 solutions.

This is a keeper http://www.mlin.net/StartupCPL.shtml

Try only this first if it don't work do the clean boot below.

Just run it uncheck everything related to Norton/Symantec Adaware etc
then reboot.

When finished below recheck them back and reboot and they are back.

Norton is sticky and may hang on so..

Here are 3 links on how to do a clean boot of XP 3 links just for insight.
http://support.microsoft.com/kb/310353
http://www.freebits.co.uk/cleanboot.html
http://www.pctechguide.com/tutorials/CleanBoot_Boot.htm

You will reverse it when finished!

Note if you are concerned about reinfection after downloading all then pull the network cable while doing all.

Mike
 
tried the first link. the application worked, but after i rebooted in Safe Mode and tried to run ComboFix, i still got the message from ComboFix indicating that Symantec AntiVirus Auto-Protect was running.

tried the three links about doing a clean boot. i think i successfully clean booted to Safe Mode, but still got the same message from ComboFix.

i feel like these are my options:
1. just say to hell with it and run ComboFix anyway. or is this likely to damage my computer?
2. "unload" Symantec AntiVirus. except i'm not sure what "unloading" it will do, exactly.

what do you think?
how can Auto-Protect be running if I can't see it in Task Manager?
 
1. just say to hell with it and run ComboFix anyway. or is this likely to damage my computer?

Won't hurt! Do it!

BTW: We have cleaned some bad Malware so what is the state of the system now?

Mike
 
ok. i'm not near my PC now, but i'll run ComboFix tonight or tomorrow and post the log right away.

i haven't noticed any problems, exactly, since we cleared that stuff out, but i still for some reason cannot run TrendMicro HouseCall.
 
OK do this.

Uninstall any Trend HouseCall in Add/Remove programs.

Do a windows search for trend*.* delete those entries that are obviously HouseCall!

Reboot.

Then do the below...

Update then run SAS
Click Preferences-Repairs

Then counting down from top do the following entries
Numbers 6, ,8 11, 12, 13, 15, 18, 19, 20, 23 and 24!

Reboot!

Now try the Trend.

Mike
 
ComboFix log

ok. i just did a clean boot into safe mode, and then i ran ComboFix.
the log is attached.

i followed your instructions from previous post - did not get the same error message from TrendMicro HouseCall as before... but it still didn't run. just looked like it was getting ready to, and said "idle."
 
Couple more to get!

Boot to Safe mode networking to do the below!

Left Drag mouse and Copy for Pasting all text in the box below.
Make sure the slider bar goes to bottom from the @ to the end of the second exit.
Then paste to the black screen of an open command prompt.
Code: 
@echo off
cd\
:: Fix associations
ftype exefile="%1" %*
ftype batfile="%1" %*
ftype cmdfile="%1" %*
ftype comfile="%1" %*
ftype scrfile="%1" /S
ftype regfile="regedit.exe" "%1"
ftype piffile="%1" %*
ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*

assoc .exe=exefile
assoc .bat=batfile
assoc .cmd=cmdfile
assoc .com=comfile
assoc .scr=scrfile
assoc .reg=regfile
assoc .pif=piffile
assoc .lnk=lnkfile
assoc .inf=inffile
assoc .vbs=VBSFile
assoc .js=JSFile

sc stop TDSSserv.sys
sc delete TDSSserv.sys
:: Above sc commands first stops then deletes service if it exists
::
reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata"
reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\tdss"
::
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" /f
::The above reg commands first unloads the reg keys then deletes these keys.
::
Attrib -h -s -r tdss*.* /s
del  tdss*.* /f /q /s
:: The above two lines first clears protective attributes then 
:: deletes all files on Drive beginning with the name tdss

:: Remove AntiVirus2009
attrib -h -s -r "%UserProfile%\Desktop\Antivirus 2009.lnk"
attrib -h -s -r "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk"
attrib -h -s -r "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll"
attrib -h -s -r "%UserProfile%\Start Menu\Antivirus 2009\*.*"

del "%UserProfile%\Desktop\Antivirus 2009.lnk" /f /q
del "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk" /f /q
del "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll" /f /q
del "%UserProfile%\Start Menu\Antivirus 2009\*.*" /f /q

rd /s /q "%UserProfile%\Start Menu\Antivirus 2009"

attrib -h -s -r "c:\Program Files\Antivirus 2009\*.*"
rd /s/q "c:\Program Files\Antivirus 2009"

attrib -h -s -r c:\WINDOWS\system32\ieupdates.exe
attrib -h -s -r c:\WINDOWS\system32\scui.cpl
attrib -h -s -r c:\WINDOWS\system32\winsrc.dll

del c:\WINDOWS\system32\ieupdates.exe /f /q
del c:\WINDOWS\system32\scui.cpl /f /q
del c:\WINDOWS\system32\winsrc.dll /f /q

attrib -h -s -r "c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}"
attrib -h -s -r c:\program files\[u]0[/u]93004-15v.ram

rd /s /q "c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}"
del /"c:\program files\[u]0[/u]93004-15v.ram" f /q 

reg delete "HKEY_CURRENT_USER\Software\75319611769193918898704537500611" /f
reg delete "HKEY_CLASSES_ROOT\CLSID\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "75319611769193918898704537500611" /f
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "ieupdate" /f
echo Finshed ripping out Antivirus 2008-9
:: Fix associations
ftype exefile="%1" %*
ftype batfile="%1" %*
ftype cmdfile="%1" %*
ftype comfile="%1" %*
ftype scrfile="%1" /S
ftype regfile="regedit.exe" "%1"
ftype piffile="%1" %*
ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*

assoc .exe=exefile
assoc .bat=batfile
assoc .cmd=cmdfile
assoc .com=comfile
assoc .scr=scrfile
assoc .reg=regfile
assoc .pif=piffile
assoc .lnk=lnkfile
assoc .inf=inffile
assoc .vbs=VBSFile
assoc .js=JSFile
exit
exit

Then run combofix once more to be sure it comes up clean post log.

Mike
 
new ComboFix Log

alright - did what you said. copied that whole string of commmands into command prompt. didn't have to hit enter or anything: it just went and did it's thing on its own (is that what should've happened). also, i'm obviously no expert on these things, but reading through commandm prompt afterwards, it seemed like some of the things in the commands you sent me worked, and some didn't... couldn't figure out how to copy-paste from that though... maybe they worked and i just mis-interpreted the feedback.

anyway, after i ran the command stuff, i rebooted into safe mode and ran ComboFix again. here's the new log.

thanks again for all your help and for sticking with this problem for the last several days.
 
That was a general cover all type script that works on what if finds and may give an error if it don't find something. So no problem.

OK it looks as tho we are finished except for one item and it should be a quick remove.

Run MBAM click More Tools-Run Tool
Copy and paste the text in the box to the File name: box and click OK to delete the file.
Code: 
c:\program files\[u]0[/u]93004-15v.ram

Reboot paste a final HJT log and update me on the status of the system, how is it now and are there remaining issues.

Mike
 
did it!
thanks again, you've been very helpful.
God bless!
mohrng

p.s. do you have any general advice about safety/ malware prevention practices? or a link to such advice?
 
OK so all is fixed no more issues?

The answer to your question is in the closing below.

Thread closing-------------------------------------------------------------------

Some of these tools update so often they require downloading again later if needed. But keep and run MBAM and SAS to maintain.

Remove ComboFix
Start-Run
type
combofix /u
Hit enter or click OK.

Please download OTCleanIt http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe

Save to desktop.

This will remove all the tools we used to clean your computer.


Double-click OTCleanIt.exe. Click CleanUp. Yes to the "Begin cleanup Process?"

Approve all if prompted by Firewall. Approve Widows Defender or other guards or security programs while OTCleanIt attempting access to the Internet to allow all.

If prompted to Reboot click, Yes.
OTCleanit will delete itself when finished, If not delete it by yourself.

-------------------------------------------------------------------------------------
Run CCleaner again twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean.

Run ATF-Cleaner http://majorgeeks.com/ATF_Cleaner_d4949.html Temp and Registry, repeatedly until no more found.

KCleaner ftp://ftp2.kcsoftwares.com/kcsoftwa/files/kcleaner.exe
Fantastic cleaner.
-------------------------------------------------------------------------------------
The issues can and are likely found is in System Restore so do the below

Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "After cleanup at TechSpot".

Then Start-Programs-Accessories-System Tools-Disk Cleanup
Click OK to accept C:
Select all Boxes
Then click More Options
Here click System Restore and OK to "Are you sure" and the OK to Run.

As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

It clears what is known as Shadow copies which are used by specialized back up programs.

This is if you have the Volume Shadow Copy running which is the default.
-------------------------------------------------------------------------------------

Every two weeks or so, run MBAM and SAS until clean.

They take a while, so leave scanning while you are sleeping working or watching TV. If not done under the gun they can be scheduled not to interfere with computer time.

If they find something they can not clean, then get back to us.

Additionally run CCleaner. ATF-Cleaner and KCleaner.
----------------------------------------------------------------------------------------
I have been using ThreatFire for more than a year, it just went from ver 3 to ver 4.

It was designed to be used with and to co-exist with other Virus scanners.

Additionally it uses a totally different process to protect. While conventional Virus scanners work from definitions ThreatFire works on recognizing Virus/Malware activity.

It's like looking at it with 2 sets of eyes and from a different angle.

It works like some Firewalls do to learn what is good/bad.

After install it will ask you about everything that could be a security issue. For example the first time you run IE or FireFox it will prompt you. You would answer to approve and remember the setting. From then on no more prompts about IE or FireFox unless the exe changes like in an update.

As it queries you about the prompt to help you determine to approve or not you can google it with one click.

http://www.threatfire.com/Download/
-------------------------------------------------------------------------------------
Look at http://www.javacoolsoftware.com/spywareblaster.html

Run SpyBot ocassionally and use the Immunize function.
http://www.safer-networking.org/en/download/

I highly reccomend Hostman: Hostman http://majorgeeks.com/HostsMan_d4592.html

Download install run and allow it to disable DNS Client and select all Host files and then Update and install all host files.

A Disk Scan (chkdsk) and Defrag are in order.

Mike
 
Status
Not open for further replies.

Similar threads

midian182
Lawsuit over fatal 2017 Call of Duty swatting incident ends in $5 million settlement
Replies
11
Views
684
sdms96825
S
Shawn Knight
Google Fiber puts out a call to test 20 Gig Internet service
Replies
6
Views
524
loki1944
L
Skeezix
How Can I remove the Start Menu Icons in Open-Shell Version 4.4.170? [Solved]
Replies
3
Views
2K
Skeezix
Skeezix

Latest posts

Back